Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 11:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    787dad1bbeb81bbdd632321c158541f842447e7c9b3acd0aba65c80e4ded9a89.exe

  • Size

    728KB

  • MD5

    032f33f8d2fc873a2768470f3baef37e

  • SHA1

    a182237ba140d29fe9809f98d92529addbce6eeb

  • SHA256

    787dad1bbeb81bbdd632321c158541f842447e7c9b3acd0aba65c80e4ded9a89

  • SHA512

    bb1c653fae1c46b76850bd6e056c057771c8fc74702483bb2f438808e17b4e895f5558ddfa84157302024216f65ec007bdeeb839787071fb6049bb8c6d5037fa

  • SSDEEP

    12288:gMryy90mCQH31/9WKsyanitRKNBqjb7o4XgtxqOGW5lUqK51kS26z4K8vgdh7XDN:CyPB9+1izKascgt9Gr4K8vsVUGL

Score
10/10
redlinemaxidiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

maxi

C2

83.97.73.126:19046

Attributes
  • auth_value

    6a3f22e5f4209b056a3fd330dc71956a

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\787dad1bbeb81bbdd632321c158541f842447e7c9b3acd0aba65c80e4ded9a89.exe
    "C:\Users\Admin\AppData\Local\Temp\787dad1bbeb81bbdd632321c158541f842447e7c9b3acd0aba65c80e4ded9a89.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5068539.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5068539.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8645782.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8645782.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4388
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6463495.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6463495.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4160
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9222261.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9222261.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2020
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1054304.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1054304.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:416
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2712
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1254105.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1254105.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5068539.exe
    Filesize

    526KB

    MD5

    ad7af1ae553baec57ce41810f504a283

    SHA1

    3640da4da0e01ad2251a79641024ca0833810af8

    SHA256

    10a3a1a4a5f060bc0282b9294e5ae6e102c43ee434f69b048ba8e53dfe4ff735

    SHA512

    cb9aad75d0d1c26675c5a8676d4ab1c25ae781b063fe453cc49a895acd5ea91cb06f3fc9f8adae890dbef8e31c389d00398e188566530ffcb45b0464dc2b2ba4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5068539.exe
    Filesize

    526KB

    MD5

    ad7af1ae553baec57ce41810f504a283

    SHA1

    3640da4da0e01ad2251a79641024ca0833810af8

    SHA256

    10a3a1a4a5f060bc0282b9294e5ae6e102c43ee434f69b048ba8e53dfe4ff735

    SHA512

    cb9aad75d0d1c26675c5a8676d4ab1c25ae781b063fe453cc49a895acd5ea91cb06f3fc9f8adae890dbef8e31c389d00398e188566530ffcb45b0464dc2b2ba4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8645782.exe
    Filesize

    354KB

    MD5

    c077e34f38b58f69bc19669fc114b256

    SHA1

    a7caa675a2364a24baf33322af8d9f2d2b137b9c

    SHA256

    8b840686c1e87c4a64f85cc5893557b3c84786cab549f9e56d108c091e2b6066

    SHA512

    0e218f9fdd45be0609e4e6d544504add7e53fc4b8b3c17276e096704b68399aded9cc376fefad8e0cffceea5817086f522f75700aebfc96150a255651bde4b6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8645782.exe
    Filesize

    354KB

    MD5

    c077e34f38b58f69bc19669fc114b256

    SHA1

    a7caa675a2364a24baf33322af8d9f2d2b137b9c

    SHA256

    8b840686c1e87c4a64f85cc5893557b3c84786cab549f9e56d108c091e2b6066

    SHA512

    0e218f9fdd45be0609e4e6d544504add7e53fc4b8b3c17276e096704b68399aded9cc376fefad8e0cffceea5817086f522f75700aebfc96150a255651bde4b6e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1254105.exe
    Filesize

    172KB

    MD5

    6d793567c8f1c4cf39070613811dd1f2

    SHA1

    d1d34eba004684068418d01a639bd7368f5d75bb

    SHA256

    ce2bb8ba32e2a1ceb935ddeccbeb03557d4ae82ee2d1dc72dc78225772a8745a

    SHA512

    1a8d8cbdb7bbbb2e573c22464577f466352458bf4343e3697168ecb6852f956fb4b34f3089e0192007860d312ac6ef80e7db69e83c6860a805394d3ef0837b4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c1254105.exe
    Filesize

    172KB

    MD5

    6d793567c8f1c4cf39070613811dd1f2

    SHA1

    d1d34eba004684068418d01a639bd7368f5d75bb

    SHA256

    ce2bb8ba32e2a1ceb935ddeccbeb03557d4ae82ee2d1dc72dc78225772a8745a

    SHA512

    1a8d8cbdb7bbbb2e573c22464577f466352458bf4343e3697168ecb6852f956fb4b34f3089e0192007860d312ac6ef80e7db69e83c6860a805394d3ef0837b4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6463495.exe
    Filesize

    199KB

    MD5

    0d7386ee35a9f58e1442d7a313496ba3

    SHA1

    ff470c6d9d2a34940ad5c648a7b7248996237428

    SHA256

    ac2769af25884e7d3690e8b6dc1cb57249493f542f94d20784a8bb51ab6d5634

    SHA512

    3603707ad804305cd570158e9b458e75b01393ad75b99f8f549ba4e5142b4ffd5a89e9da4ea49df3b52ea49cdee5d0204b8f135dc28d0e0240966ef2ddf6a373

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6463495.exe
    Filesize

    199KB

    MD5

    0d7386ee35a9f58e1442d7a313496ba3

    SHA1

    ff470c6d9d2a34940ad5c648a7b7248996237428

    SHA256

    ac2769af25884e7d3690e8b6dc1cb57249493f542f94d20784a8bb51ab6d5634

    SHA512

    3603707ad804305cd570158e9b458e75b01393ad75b99f8f549ba4e5142b4ffd5a89e9da4ea49df3b52ea49cdee5d0204b8f135dc28d0e0240966ef2ddf6a373

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9222261.exe
    Filesize

    12KB

    MD5

    630d203bd36bc62c43ea5cf97efa525f

    SHA1

    010589038d38ad35381cc6dbef7aff45fba641bd

    SHA256

    372aa8e3a18ee6e0460892453e8019ec83e79de20e8bebc1dff0d4487d806e82

    SHA512

    5592c25901db361369f0ad3fa09a631123fc29fc041c5b88754241073975ffaf82e5f5af0c49b16b203261b8e63a59cb22c93fb58179e7ec9d43ab845a19437c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9222261.exe
    Filesize

    12KB

    MD5

    630d203bd36bc62c43ea5cf97efa525f

    SHA1

    010589038d38ad35381cc6dbef7aff45fba641bd

    SHA256

    372aa8e3a18ee6e0460892453e8019ec83e79de20e8bebc1dff0d4487d806e82

    SHA512

    5592c25901db361369f0ad3fa09a631123fc29fc041c5b88754241073975ffaf82e5f5af0c49b16b203261b8e63a59cb22c93fb58179e7ec9d43ab845a19437c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1054304.exe
    Filesize

    106KB

    MD5

    cf3c9eacfdb4485cc307500ec1214c59

    SHA1

    c92b0f0a1d42710410a4db98416be7d1b97e1136

    SHA256

    4c1d078bdeae620dc47e35255eab38302c27792e0ed169ec47000319ed200dd6

    SHA512

    ba68a69a8b24040a26aaec62cea5c77df9f69567ea3c552e46996a144445624d3771dc02a96d185beee7b37d15390ea3d7df799cbd78531e7bf63e264c465815

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1054304.exe
    Filesize

    106KB

    MD5

    cf3c9eacfdb4485cc307500ec1214c59

    SHA1

    c92b0f0a1d42710410a4db98416be7d1b97e1136

    SHA256

    4c1d078bdeae620dc47e35255eab38302c27792e0ed169ec47000319ed200dd6

    SHA512

    ba68a69a8b24040a26aaec62cea5c77df9f69567ea3c552e46996a144445624d3771dc02a96d185beee7b37d15390ea3d7df799cbd78531e7bf63e264c465815

    Download Submit

  • memory/1876-174-0x00000000005C0000-0x00000000005F0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1876-179-0x0000000002750000-0x0000000002760000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1876-188-0x0000000002750000-0x0000000002760000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1876-175-0x000000000A9C0000-0x000000000AFD8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1876-176-0x000000000A540000-0x000000000A64A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1876-177-0x000000000A480000-0x000000000A492000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1876-178-0x000000000A4E0000-0x000000000A51C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1876-187-0x000000000C590000-0x000000000CABC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/1876-180-0x000000000A7F0000-0x000000000A866000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1876-181-0x000000000A910000-0x000000000A9A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1876-182-0x000000000B590000-0x000000000BB34000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1876-183-0x000000000B0E0000-0x000000000B146000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1876-184-0x000000000B4F0000-0x000000000B540000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1876-186-0x000000000BE90000-0x000000000C052000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2020-161-0x0000000000E90000-0x0000000000E9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2712-166-0x00000000007B0000-0x00000000007BA000-memory.dmp

    Filesize

    40KB

    Download